TWeb-Based Enterprise Applications Security Guidelines - Research Paper Example

Web-Based Enterprise Applications Security Guidelines In the current scenario, more and more enterprises are using web based applications for various commercial purposes. With the increasing use of web based applications, maintaining adequate securities have become vital issue for ensuring reliability and trust. Since web based applications deal with sensitive information regarding clients and partners, it is crucial for enterprises to safeguard from various external as well as internal threats. Based on this aspect, the project discusses about various web security issues which must be considered by application developers. Furthermore, the project also provides certain approaches and guidelines that should be maintained in order to ensure security of web based enterprise applications. INTRODUCTION In the contemporary business environment almost every enterprise have online existence not only for providing information, but also for interacting with key stakeholders such as customers, clients and dealers among others through different web based applications. From online communicating application to electronic investment, enterprises are constantly spawning web based applications that provide increased access to vital information. Currently web based applications are regarded as lifeblood of today’s modern enterprises as they permit employees to perform crucial business activities. When these applications are allowed to access enterprise networks, they can easily share information. Earlier, when the web based applications were developed, the information security strategies were fairly simple to impose, nevertheless, modern enterprises are grappling with numerous security threats. Consumer driven tools have released a new trend of web based applications which can easily be breached and can simply evade the traditional enterprise network security barriers (Fortinet, “Controlling Web 2.0 Applications in the Enterprise”). PROBLEM AND MOTIVATION As businesses are growing, enterprises are becoming more dependent on web based applications, the complex units are becoming more challenging to secure. Several enterprises secure their network through installing firewalls and ‘Secure Socket Layer’ (SSL) among others, but most of the web-based attacks are focussed on the application level, rather than network level and these security tactics are unable to prevent those attacks. Accordingly, the key motivation for undertaking this study is to devise certain guidelines in order to protect and secure the enterprise network. Additionally, the paper also intends to discuss approaches in order to enhance the security of web based applications (IBM Corporation, “Understanding Web Application Security Challenges”). BACKGROUND AND RELATED LITERATURE Nowadays, most enterprises depend on web based applications in order to operate the business procedures, to conduct business dealings with suppliers and to provide services to the customers. Unfortunately, in order to stay forward in the competition, many of them spend little effort to certify the security of web applications. The present web-based applications often compromise with security of enterprise network as intruders are currently making use of more advanced and sophisticated technologies to gain unauthorised access of confidential information such as client data. According to the research of IBM, about 4000 web-based application susceptibilities are identified every year resulting in 92% of information are lost within enterprises primarily due to breach of the security relative to web-based applications. Present enterprises are required to implement application security programs and solutions that can incorporate security analysis in application development life cycle so that weaknesses can be recognised and fixed before they uncover the enterprises to new security threats (IBM Corporation, “IBM Security AppScan Enterprise”). Unlike traditional applications, web-based applications experience instinctive vulnerabilities due their structural design and also because they are accessible by extensive audiences. Several web servers comprise features that permit remote management of information for example file management. In such servers, inadequate control can generate security threats for enterprises. Through web based application, an invader can gain access to the enterprise web server by taking advantage of weak remote administration (Singh 30-36). In accordance with the research of Lebanidze (1-182), most of enterprise web applications use n-tiered architecture, comprising web server tier, application tier and database tier. There are plentiful application level threats in every tier. The web server tier (also known as presentation tier) is prospective target for attacker. In web server tier some of the common threats comprise profiling, ‘denial of service’, illegal access, haphazard code implementation and advancement of privileges. Apart from that there are always security threats with respect to viruses, worms, and Trojan horses in web based applications. The application tier usually comprises business logic for web based application. The serious security threat in application tier comprises snooping, unauthorised access, buffer runoff and viruses. The database tier encompasses the archives to which application data is persevered. Some of the major security threats in database tier comprise network eavesdropping, password cracking and SQL injection among others (Zhao, Chen, Xu, Heilili and Lin 618-625). According to the research of Kahonge, Okello-Odongo, Miriti and Abade (138-143), among other security attacks, the most common attacks on web-based applications are SQL injection, command injection and cross site scripting. SQL injection is application layer attack which abuses improper coding principles in web-based applications and therefore allows intruders to add SQL commands through internet. In the similar context, command injection utilises the web-based program to execute unauthorised commands on behalf of intruder to the operating system. Among numerous security threats, command injections are particularly common in web based enterprise applications. Hackers can effortlessly exploit the command set accessible in the web-based application used in an enterprise once they know the weaknesses of enterprise platform. Then again, cross site scripting is other security threat which is planned to attack the enterprise website and to modify the data. In this type of attack, hackers inject HTML syntax or JavaScript syntax in order to gain access to enterprise network. APPROACH AND UNIQUENESS There are several approaches which can be used in order to ensure reliable security of web based enterprise applications. These approaches must be followed across every stages of web based application development. Secure Weakest Connection: In every enterprise, it is vital to establish all around strong security and to ensure that there remains no security gap. For example, if the information is transferred through solid encryption procedure but kept in unencrypted way, the intruder is more perhaps to go after the unencrypted information. In web based enterprise application, the weak link is gateway server used particularly by ‘Wireless Application Protocol’ (WAP) in order to convert the encrypted data. Thus, in order to breach the security, attackers do not require to target to the strong link of application server, rather they would wait for the gateway server to decrypt the information and will exploit any flaw in the application. In the similar context, invaders will not attempt to overcome the security of firewall; rather they would attempt to exploit the weaknesses in application availability through the firewall. Thus, the weakest link of securities must be considered in order to secure the web based enterprise applications (Lebanidze 1-182). Establishment of In-Depth Defence: This approach commands that multiple corresponding defensive plans are required in order to secure web based enterprise applications so that if one defence layer is breached, the other layer can prevent any unauthorised attack. In enterprise web-based application, the data transfer between application server and database server should be encrypted. Furthermore, apart from firewall, developers must implement additional security protectors, such as use of encryption technology for data storage (Lebanidze 1-182). Simplicity of Application Design: Excessive complex application design can generate severe security issues. Complexity can make it difficult to assess the security level of web-based enterprise application and therefore increase the possibility of security threat. Furthermore, in complex application design it is quite challenging to assess any accidental result of the security breach. However, it is also true that in modern days increased functionalities are required by customers in web-based applications which in turn generate security related problems. Hence, web application developers must recognise the possible security implications before introducing new feature. While developing web based applications, few modules should be used in order to create entry point of such application to the computer system and strong security should be incorporated in those modules. Special care must be considered to ensure that there remains no gap to evade the security point of the modules (Lebanidze 1-182). Confidentiality: The web-based enterprise applications are required to store little confidential information. Besides, developers of enterprise web applications must ensure to protect the illegal disclosure confidential information (Lebanidze 1-182). Utilisation of Proven Technologies: Use of proven technology is good approach as it encourages security of web-based enterprise applications. Predominantly published and well-reviewed elements should be used in enterprises (Lebanidze 1-182). RESULTS AND CONTRIBUTIONS Database Security Features Offered In Market Leading Enterprise DBMS. There are several enterprise DBMS systems which provide security features in order to enable development of secure web-based enterprise applications. For instance in Oracle DBMS, the security features comprise automatic secure configuration, enhanced password protection, strong authentication and improved encryption among others (Oracle, “Whats New in Oracle Database Security?”). On the other hand DB2, another DBMS system provides security features such as authentication, authorisation, trusted contexts, auditing, access control and encryption (IBM Corporation, “DB2 Security”). Guidelines for establishing secure enterprise web application project. Through applying specific guidelines, the enterprise web applications can be well protected from any security breach. Determine and create standards: As a part of development of secure web-based enterprise application, first there is need to determine standards comprising technical information (such as use of Internet Protocol, Operating System and Domain Naming System) and commercial information (such as authorised personnel and responsible authorities). Additionally, thorough scanning must also be conducted in order to discover common vulnerabilities of the application. Evaluate and allocate risks: After determining the security risks, there is need to rank the web-based enterprise applications according to risks by concentrating on data storage, control of data access, user provisioning and management of rights. Furthermore, there is also need to appraise security approaches with organisational, industrial and governmental compliance. Safeguard application and control loss: In order to ensure the security of enterprise web applications, there is need to safeguard the application for top security threats and apply available coverings to the application. Constant observation and review: As a part of enhancing security, there is also need to maintain schedule observation of the security aspects. Whenever any security threats are detected instant initiative should be undertaken to eradicate it (IBM Corporation, “Understanding Web Application Security Challenges”). Implementation of Intrusion Detection System (IDS): Initial detection is regarded as a key for protecting web-based enterprise applications. In this context, it can be stated that implementation of IDS can help to recognise the pattern of network misuse and keep the security protection in synchronise with new vulnerabilities. CONCLUSION Enterprises can no longer avoid the use of web-based applications. As the employees, business associates and customers continue to use web-based applications; its demand will increase. In line with the increasing demand and utilisation of web-based enterprise applications new level of security threats will likely appear. Thus, proper approaches and guidelines that can provide comprehensive protection from security breaches comprising intrusion detection and control of information access are required for developing secure web-based enterprise application. However, before undertaking any security measures, it is vital to understand the security requirements of the enterprise and then to select the proper combination of security options. To stay ahead in present days internet oriented atmosphere, enterprise requires to develop such platform which can effectively accommodate new features in web based applications without compromising the security. In addition, security implementation is also required for mitigating security threats and to provide complete protection in web based enterprise applications. Works Cited “Controlling Web 2.0 Applications in the Enterprise”. Fortinet. 2011. Web. 24 Jan. 2014. “Understanding Web Application Security Challenges”. IBM Corporation. 2008. Web. 24 Jan. 2014. “IBM Security AppScan Enterprise”. IBM Corporation. 2012. Web. 24 Jan. 2014. “DB2 Security”. IBM Corporation. 2012. Web. 24 Jan. 2014. Kahonge, Andrew Mwaura, William Okello-Odongo, Evans K. Miriti and Elisha Abade. ‘Web Security and Log Management: An Application Centric Perspective.’ Journal of Information Security 4 (2013): 138-143. Print. Lebanidze, Eugene. ‘Securing Enterprise Web Applications at the Source: An Application Security Perspective.’ The Open Web Application Security Project (2005): 1-182. Print. “Whats New in Oracle Database Security?” Oracle. 2006. Web. 24 Jan. 2014. Singh, Tejinder. ‘Securing Web Applications and Finding Security Vulnerabilities in Java’. International Journal of Research in Engineering & Applied Sciences 2.3 (2012): 30-36. Print. Zhao, Chen, Yang Chen, Dawei Xu, NuerMaimaiti Heilili and Zuoquan Lin. ‘Integrative Security Management for Web-Based Enterprise Applications’. Advances in Web-Age Information Management (2005): 618-625. Print. Read More